Category Archives: Security

AutoSSL is introduced by cPanel/WHM since version 54 which aids in adding and managing SSL certificates provided by Let’s Encrypt and cPanel. AutoSSL fully automates the the installation and renewal of free SSL certificates which are valid for 3 months.

Hostdepartment provides its Linux unlimited hosting users and the Linux Reseller account holders with the AutoSSL feature. AutoSSL is enabled by default so the SSL certificates and HTTPS for all your sites are enabled by default. You can also purchase our low-cost SSL certificates which are valid for 1 year or more if you are in need for a dedicated SSL provider for as low as $11.95 per year.

The SSL certificates are automatically installed for all domains and sub domains for your sites hosted in the cPanel in addition to the below aliases:

mail.domain.com

webmail.domain.com

cpanel.domain.com

whm.domain.com

If you are using one of the above aliases for accessing your cPanel, webmail or WHM, you can have a HTTPS connection in order to login to the control panel or webmail or WHM.

Do you have a cPanel hosting or reseller account with us and do not see HTTPS for your site? You can contact us by live chat or email or through a support request form.

DDOS is nothing but distributed denial of service , this attack is very well trained and uses internet to get into a system and attack the network . Many computers using internet can also be used to attack other systems. If a denial of service attacks a computer or network then the user will not be able to access emails or the internet, These attacks can be directed towards an operating system (OS) or a network.

How did DDOS attacks start?

DDOS attacks started in late 90’s, initially the attackers used to make full use of victim’s bandwidth and not letting others to get the service. To make these attacks more damageable many attackers should manually synchronize. This type of attack has become public in the year 1997, when a DDoS attack tool called as “Trinoo” was released and was available publicly.

Types of DoS attacks:

Dos attacks are classified into three different types based on the method of attacks. They are:

1.Bandwidth/Throughput Attacks:

These type of attacks are again classified into different types:

Ping Flood Attack: This is a kind of attack by which an attacker attacks on the bandwidth connection so that a network is saturated with an ICMP echo request packets so as to slow or stop the traffic which is going through the network.

Distributed SYN Flood: The attack focuses on the bandwidth of many machines and by doing so, it is possible to use more number of weakly distributed computers and a big flood attack is created.

UDP Flood Attacks: In UDP protocol it is very easy to use interface to produce large quantity of packets . Hence it is very easy for an attacker to produce large packets with little effort and this is how a victim’s network is flooded with UDP packets and is attacked.

2. Protocol Attacks:

These type of attacks are divided into two types:

Smurf Attack: Here a spoof IP packet with ICMP echo -request with an address of victim’s system and a destination address are sent to an intermediate network. By sending an ICMP echo request to destination address , it triggers all the host that are included in the network and thus leading to production of large number of packets that are routed to that spoof IP address.

DNS name server Attack: his is one of the most common method for attacks, mainly by sending a high number of UDP based DNS requests to a nameserver using a spoof IP address, now any nameserver response is sent back to the destination i.e., to the spoofed IP address and here this IP address is the victim of the DoS attack. So, it is difficult for a nameserver or the victim to determine the true source of the attack.

3. Software Vulnerability Attacks:

These attacks are again divided into 3 types:

Land Attack: This kind of attack uses TCP/IP, here attacker sends a TCP SYN packets with source and destination address same i.e., same as the victim’s host address. The TCP/IP stack implements those kind of packets which leads to victim’s host to crush or hang. You can reduce the possibilities of your network being used as an initiate forged packets by filtering the out going packets that are having different source address from your internal network.

Ping of Death Attack: This is a method by which an attacker tries to crash , hang or reboot a system by sending illegal ICMP packet to the victim who is going to he attacked. Generally a TCP/IP allows a maximum packet size till 65536 octets, if the packets encountered are greater in size then victim’s host may crash. Usually the ICMP uses packets of header size of 8 octets by allows the user to specify even larger sizes. Here in Ping Death of attack ICMP packets are sent in the form of small parts of messages , when these are reorganized it turns out to be large packet size.

Teardrop Attack: In this type of attack first a packet of small size is sent. Then another packet said to be the part of the first packet sent. The second packet sent is very small to pick it from the first packet, this causes an error is assembling and the system may crash or hang. Generally fragmentation is very necessary if the message size is large , at the receiving end all the fragmented packets are reassembled to complete it, teardrop attacks concentrate here and sends unrelated fragment packets, which leads to system crash or hang when trying to assemble them.

Effects of DDoS:

1. An DDoS attack on a site not only affects that site but also other site which relate to the same network and the server.

2.The bandwidth that is provided is attacked it not only affects the victim host but also the bandwidth provider and others who share bandwidth with the service provider.

3. When DoS attack it already increases the traffic to the site that the whole system crashes , in addition to that customers logging add more traffic to the site, this definitely leads to site crash .

4. Due to highly increased bandwidth by the attack you need pay extra to that highly increased bandwidth.

How to Handle DoS attacks:

1.Initially before they attack you need to take preventions like separate client and server addresses, using path based client addresses strictly avoids spoof addressing, RPF checking of server addresses and also by using midwalls.

2. Detection is very important, as early you detect it you can lessen the damage. By using automated intrusion detecting system you can detect the attacks at an early stage and take necessary action.

3. What we do after the attack is very important, based on the attack try to follow the procedures and taking back up so as to avoid huge loss. Try to maintain the traffic and also for a while blocking the traffic and filtering is also important.

Conclusion:It is always better to take precautionary steps to avoid DDoS attack as it causes a lot of damage not only to the victim host but also to the entire network that is connected to that host.

Someday when your business extends from smaller region to all over the world then your business website will be viewed by people all over the world. When you had a small business and your site was hosted at only one place that was fine but now, when it is viewed by people across seas do you think your site will be fast? The answer is NO, because as area increases the distance to be traveled by the files and folders of your site increases which obviously increases the page loading time,latency and sometimes due to routing issues those files may not reach its point and your website may not be displayed. For this there is a solution too and it is CDN(Content Delivery Network).

What is CDN?

CDN(Content Delivery Network) is a network placed in different parts of the world which contains files of the website. When a website is requested instead of travelling miles, nearest network would be approached and website will be loaded fast and also routing issues will be avoided. For example an Indian based website is accessed some where in new york and the site is also hosted in New Jersey, instead of travelling all the distance from India to new york, the site’s file will be transferred from new jersey to new york avoiding all the routing and other issues. It is like servers holding your files across the globe , reachable to all the people around the world and makes sure that your website is loaded fast and these servers are called “edge servers”.

How it works?

The working of a CDN under goes following steps:

When a browser sends a request for a domain name, that is a DNS request is made.

The server which is handling DNS requests will check for the domain name and sends back the IP address for the edge server which is closer to the area from where the request has been made.

These Edge Servers are proxy caches similar to browser caches. When a request comes to the edge server it checks for the cache and see if the content is present or not.

If the content is present and cache is not expired, the content will be displayed directly from the edge server.

If the content is not present then the edge server makes a request to the origin server. The origin server is the true server of the website and is capable of providing the information available in CDN.

As soon as the origin server sends the content, the edge server stores info in a cache based http header of response and also display the information to the browser.

Once again when your request, if the cache is not expired the content will be directly displayed from edge servers rather than fetching content from origin server.

Origin Server and Edge Server:

The Edge servers just responds to the request and displays accordingly but the origin servers are being runned by technologies like java, .net or any other and hence any changes can be done in the origin server unlike edge servers are just having a copy of data present it origin server and cannot be changed. CDN is just a cache, if the data is always fetched from the origin server then there is no value for CDN. When an edge server makes a request to origin server then there is no value of CDN there and instead it costs more and takes longer time.This is the reason why all the java script,CSS, image files are served from data as they don’t change frequently.

How to setup?

No matter what ever CDN you are looking for, there are mainly 5steps common in setting up CDN. They are:

Sign Up:

If you have been recommended some site for CDN, just go to that site and sign up for their service. In our case we prefer and suggest Cloudflare, so just get into its site and sign up.

Getting Files into the CDN:

Mostly all the web page assets like JavaScript,CSS,images should come from CDN as they are not changed frequently, only HTML pages come from your web host, that is origin server. It is not that easy to to get files into CDN but cloudflare makes it easy,just you need to give your urls and you will have an option to choose that description that describes your site and it will be done automatically.

Decide your url names:

When we provide the url names at the time of entering file to CDN they change once added in CDN. For example if xyz.com/css/home.css was you css file name, after adding in CDN it will change to gf455633jhk/home.css and this doesn’t look nice. So you can change them to cdn.xyz.com/home.css.

Make sure that right files are called:

You can check this through wordpress or CMS. You can just ask the CMS to swap the files using caching systems.

Testing:

You can test your site fro different locations by using webpagetest.org .

Why CloudFlare?

Cloudflare helps in protecting and acceleration your online website. It automatically optimizes the delivery of web page and helps your site to load faster. Before your page displays, the cloufare filters bots and other atackers before they attack your website. It is also very user friendly i.e., comfortable in changing the settings and easy to understand. It also provides many other features. To know more about Cloudflare Click Here: CloudFlare Overview

Benefits of CDN:

Loading time is faster.

Gives better performance.

Gives a better user experience.

Improves site ranking.

Protection against surge in traffic.

Protection against Dos.

Conclusion:

The importance of CDN will grow day by day as it plays a vital part in the internet. Even now many companies are trying to make advancement in the edge servers and provide the users fastest loading experience.Having a good knowledge about CDN and how they work helps in giving users a better experience of the website.

Secure Socket Layer : It is the standard technology for creating an encrypted link between a web server and a browser that makes sure that the data passed between the web server and browser has remained private and protected. It was developed and released by Netscape in 1996 as a technology for security management. It is commonly used protocol for managing the security of the message transmission on internet. It is transparent protocol which requires little interaction from end user when creating a secure session. It is included as a part of both Microsoft and Netscape browsers as well as in most of the browsers. The “Sockets” part of the SSL (Secure Socket Layer) refers to sockets method of passing data between server and the browser or between the program layers in a same computer. In order to create a SSL connection a web server needs a SSL certification.

What is SSL Certificate?

A SSL Certificate is a way by which the web servers prove their identity to the web browsers, allowing a secure site to communicate privately with the browsers through http protocol. It is digitally signed by a certificate authority that most of the web browsers trust, there are many certification authorities including government agencies . A company can purchase a SSL certificate for its web server from certificate authorities which verify the company’s identity. It inspires trust as each certificate contains identification details and the browser can share the details and it would be private and secure. It is also a bit of coding on web server to provide security for online communication.

Why is it essential and important?

Most of the people wonder as what is the need to use SSL. For people who own sites or customer who wants to make banking or any private transaction it is very important. If you are not using SSL the data transmitted or submitted is not encrypted and if the data reaches the wrong hands it will create a problem. In order to be on safe side by using SSL data is encrypted and the information is safe.

How can you get a SSL Certificate?

For a SSL certificate first you need to create a Certificate Signing Request (CSR) on your server which creates a private key. Then the CSR should be sent to SSL certificate issuer also called as Certificate Authority or CA. CA will use CSR data files to create a public key that pairs with your private key, the CA will never see private key. After receiving the certificate, install it in your server. Also install intermediate certificates that create credibility for your SSL certificate by tying it with CA’s root certificate. Instructions for installing and testing your certificate will be different based on your server. The certificate contains organization’s identity details, time of validation of the certificate and the name of the CA that issued the certificate.

A browser trusts the certificates and comes out with a list of reputed CAs. The certificate issued by CA verifies that the organization’s identity is genuine. As the browser trusts the CA and the CA certifies your organization, automatically the browser will trust the organization. Then the browser lets know he user that the website is secure and the user will be safe and can share the personal details.

How does it work?

When a user requests for a website through a browser, the browser and the server create a connection through a process called “SSL Handshake”. This is not visible to the user and happens instantly. Mainly three keys are involved in setting up a SSL connection. They are a private key, a public key and a session key. The data encrypted by public key is decrypted by private key and vice-versa.

As the process of encrypting and decrypting the data using public and private keys takes a lot of processing power and time, these are only used at the time of SSL Handshaking to make an SSL connection and create a session key. Once the session key is created all the transmitting data is encrypted using this session key.

The process goes in five simple steps:

A Browser connects to a web server and requests the web server to identify itself.

SSL sends a soft copy of its SSL certificate to the browser.

Browser checks the certificate and looks if the certificate issued by a CA is in the list of its trusted CAs which it already has and also checks if the certificate unexpired, unrevoked and has a common name that is asked for. If all the details are valid then it creates, encrypts a session key and sends it back to the server through server’s public key.

Server decrypts the session key using its private key and sends back an acknowledgment encrypted using a session key to start the encrypted session.

Now both the server and the browser transmit the encrypted data through symmetric session key.

Types of SSL Certificates

There are many types of SSL certificates. You need to know about the features of all the certificates before purchasing it. Different types of certificates are:

Extended Validation (EV) SSL Certificate: This type of certificate is designed to prevent phishing attacks. It takes few days to few weeks of time to receive this certificate but provides very high assurance. Before issuing this certificate the CA checks applicant’s right to use of the domain and also conducts thorough vetting of the organization. It verifies legal, physical and operational existence of the organization or the domain. Also it checks the identity matches with the organizations official records. If all these are satisfied then the EV Certificate is issued.

EV SSL Certificates are available for all kinds of businesses, may be a government or non-government organizations. A set of guidelines called EV Audit Guidelines must be followed before issuing EV SSL Certificates. The audits are repeated for yearly.

Organization Validation (OV) SSL Certificate: Before issuing this kind of certificate the CA checks applicant’s right to use of the domain and also conducts vetting for the organization. This certificate displays the owner of the domain, its validation and the name of the CA that issued this certificate. This is provides a good assurance to the browsers.

Domain Validation (DV) SSL Certificates: This is a low assurance SSL Certificate. It only displays the domain name but not the owner or the organization details. But authorities can easily know to whom the domain belongs to using “WHOIS”. These certificates are issued instantly and cheaper than others but provide low assurance to the customers.

Wildcard Certificate: This certificate can secure all the sub-domains under a domain name. For example if you have a wildcard certificate for *.domain.com then it secures www.domain.com, mail.domain.com etc. It will secure all the sub-domains with wildcard symbol (*).

SGC SSL Certificate: These certificates enable old browsers to connect to site using 128 bit encryption even the normal browsers have 40 bit. These cost significantly and are issued by only few vendors as there are strong arguments against SGC SSL Certificates.

Root Certificate and Chain or Intermediate Certificate: CA issues certificates in the form of tree structure. The highest is the root certificate that is, it is most trusted certificate. Certificate which is signed by the trusted root certificate is trusted. All the certificates below the root certificate inherit trustworthiness from the root.

The certificate that links your organization’s certificate with the root certificate is called Chain certificate or Intermediate Certificate. These certificates must be installed in your server so that the browsers can link your certificate to a trusted authority.

Scalable SSL Certificate: Most of the certificate authorities now are issuing this certificate. Here the encryptions can be varied from lowest 40 bit to higher rate depending upon what the browsers and servers support.

Advantages:

There are many advantages of using SSL Certificate:

Server Authentication: The certificates protect your website. All the information of your site is stored in a server, using SSL digital certificates all your and customers information is protected.

Private Communication: Your transaction conversations will be private and the SSL certificates encrypt any data that is transmitted, hence the customers feel safer and secure about their data.

Customer Confidence: The main reason for which you would opt a SSL certificate is customer’s confidence. As the data will be encrypted the customers will feel that their information is safe and have confidence and faith in your site and feel free to share information.

Disadvantages:

Over so many advantages SSL also has disadvantages. They are

Cost: This is the main disadvantage as cost for a certificate is really high.

Performance: As the transmitting data is encrypted, more time is consumed and hjence it decreases the performance of the site.

With so many benefits the disadvantages can be overlooked. It is very much needed to use SSL Certificates especially if you are sharing personal information on sites. If your site is with SSL certificates, customers will trust your site and can share personal information.

One day, on a fine morning you woke up and want to see your website and suddenly you see a danger signal alarming that your website has been compromised. For a webmaster it will be the worst nightmare, do you have any such experiences? if so, who do you blame for this?. Security becomes one of the most essential part of the website management these days, as there are plenty of ways your website can get affected with any type of hacking, spamming or hijacking attacks. As a Host Department customer, you may be well protected over servers and network side, but are you really protected from your insides? That is the real question here.. how to secure your website internally?.

You may use the strongest locker in the world to protect your wealth, but what is the use if you left the doors open?. The same thing applies to your website too, we host thousands of websites and rarely receive few of such comprised website complaints. What do we do in such cases?, first we try to understand where is the loop hole and let me tell you something here, it is most of the time an application with an outdated version or some files which have full permissions (777) (read, write, execute), that means you are giving an open invitation to the hackers to compromise your website.We often try to warn our customers to update their CMSs or their blog applications such as WordPress, Joomla, Drupal etc but they ignore it and which ultimately results in to this kind of hacking attacks. Recently in a press release Joomla announced that they deprecated all the 1.x.x versions of Joomla. See this below note from their website..

Joomla! 1.0.x, 1.5.x, 1.7.x – these versions have been deprecated for a very long time and is no longer supported in any way, but there are still websites using it (shame on you!). Generally denoted by a red stripe across the top of the page, you will find the version number at the bottom of the page.

But still there are lot of Joomla users who are using the same old versions, then how to rock solid your website security?, please read this below instructions to tighten your website security.

10 Ways to Secure your Website:

Step #1: Secure your Directory and File Permissions:

This is one of the most common cause for easily getting compromised, in lot of cases CMS type applications needs 777 permissions to execute few tasks. There is nothing wrong if you want to give full access temporarily but if you leave that file or folder with full permissions for a long time, that means that directory or file can be accessible and writable world wide by anyone. In such cases it is very easy for hackers to compromise and infect your pages. So, what is the solution?. What are the recommended file and folder permissions..?

777 permissions indicates Owner, Group and Public permissions respectively.

Recommended Folder and File Permissions:

Recommended directory permissions: 755 (rwx,rx,rx)

Recommended file permissions: 644 (rw,r,r).

Make sure that you always have these permissions assigned to the folders and files in your website, this is one of the important step to protect your website from malicious attacks.

Step #2: Use Strong FTP Passwords:

This is one of the most common blunder of the webmasters, they always use simple passwords for their FTP login, this is one of the worst mistake which can lead to some big problems. To avoid this always use secure passwords.

A strong password does NOT, in any way, use your personal information, such as name, phone number, Social Security number, birth date, address or names of anyone you know. You can make use of some great online tools to generate strong passwords, like Random password generator etc. You can also check the strengths of your present passwords using some tools like Microsoft password strength checker or password meter etc.

Also please make sure that you change your password in every week or at least in a month.

Step #3: Keep your Applications up to date:

Open source applications occupied a major part on the websites designing and development, these days a lot of people are hosting the open source CMS applications. We too encourage you to host them, but if you don’t keep them up to date, that means definitely you are in trouble. Several times we try to warn you guys on this, but most of the time webmasters ignore this.

We often try to send you email alerts about these security issues of using the old version of applications, but in mots of the cases customers ignore. We request you to keep your application up to date, there are thousands of people working on the open source projects to keep them up to date and make them secure, then why don’t you benefit out of those free and secure updates?.

Step #4: Secure your pages with SSL Certificate:

Do you have any eCommerce type website?, then do you know that having an SSL certificate for your SSL store is one of the most important thing to protect your customers valuable data and your reputation as well. Even if you have just a page which provide logins for your customers or members, then it is recommended to have an SSL certificate. This will ensure that all the information on your pages over the internet will be encrypted and almost impossible to read by any hackers.

.htaccess file is one of the most important yet most powerful file, which can control the behavior of your website and posses the power to even redirect your entire website to a different one. This type of attacks becomes more popular these days, in this attack a malicious hacker will inject a redirection code to a malicious website. Then, how to protect your htaccess file?, it is simple, as I said earlier do not assign full permissions to your htaccess file or you can write this below piece of code in your htaccess file which do not let any others access your htaccess file.

<Files ~ “^.*.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>

The above code will protect your htaccess file from being accessed by others and will not let hackers inject any malicious code.

Step #6: Keep your home or office PC Secure:

You may ask that how keeping your system safe will protect your web pages?, in a recent survey it is disclosed that 30 to 40% of the malicious files are uploaded by the webmasters themselves, even our experience teaches the same. If your system is infected with the virus then obviously the next job of that virus to make sure that it will inject the malicious code in your web pages while you are trying to upload them or send your login credentials to the remote hacker so he can take care of the rest.

So always keep your PC clean and scan it daily with an updated antivirus program. Check for any unusual behavior before uploading yous files.

Step #7: Use Secure Passwords for your Emails IDs:

Email IDs getting compromised because of the weak passwords is one of the fastest raising issues in the hacking and spamming era. Once a hacker can manage to guess your password using the brute-force attack, he will simply start sending bulk mails to the various emails in the same server or even outsiders. Ultimately your mail server IP get black listed and you couldn’t able to send and receive emails, again you need to request for the delisting from the blacklist.

To avoid this kind of issues, it is recommended to use secure and strong passwords for your emails IDs. In our personal experience we have seen plenty of such cases, we often used send alerts on your email about the weak password usage, please do not ignore that and change your password to a secure one.

Step #8: Secure your Private and Admin areas with IP restrictions:

It is always recommended to secure your private areas with IP restrictions or at least with an SSL encryption. IP restriction is a bit way advanced yet effective method to stop the unauthorized personnel to access a particular area of your website. If you have a static IP at your home or office PC, it is recommend to set IP restrictions with .htaccess rule, so only your home or office PC can only access that particular area.

Here is an example htaccess code to IP restrict the access to a particular location.

# ALLOW USER BY IP
<Limit GET POST>
order deny,allow
deny from all
allow from 1.2.3.4
</Limit>

The above code restrict all other users from accessing a particular area except that allowed IP (ex: 1.2.3.4). You can replace that IP address with yours and place that htaccess in the folder which you want to restrict from public access.

Step #9: Change your database table prefix:

If you have a dynamic website with back-end database support, then it is recommended to use a different table prefix than a default one comes with your application. Also if you have a raw tables without any prefixes then it is important to add a prefix which hard to guess, this will ensure that no one can able to guess what is your database username, so there is no point of hacking the password.

We also recommend you to please use strong passwords for your database users, do not use same password for all the users. Make sure that each of your password is unique and absolutely strong.

Step #10: Try to have your own virtual private server:

Having your own virtual private server (VPS) is always an added advantage, you can define your own rules and you will have your own server with the choice of your own OS like Windows VPS and Linux VPS. This will enable additional layer of security and make all your data placed in your own server. This may not be a security measure, but worth trying. Because you will get a lot of advantages like writing your own rules installing all type of security applications etc.

I hope you learned few important tips about your website security today, please do drop your comments, questions and suggestions in the comments section below, also if you like this post please consider sharing it with others.